Bug 1417766 - ipa-replica-install fails on CA import "java.lang.Exception: Certificate caSigningCert cert-pki-ca is invalid: Invalid certificate: (-8179) Peer's Certificate issuer is not recognized"
Summary: ipa-replica-install fails on CA import "java.lang.Exception: Certificate caSi...
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.3
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Fraser Tweedale
QA Contact: Asha Akkiangady
Depends On:
TreeView+ depends on / blocked
Reported: 2017-01-30 22:25 UTC by Amy Farley
Modified: 2020-10-04 21:22 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-02-26 13:27:27 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2707 0 None open Preserving subject DN encoding during renewal 2021-02-03 19:44:25 UTC

Description Amy Farley 2017-01-30 22:25:08 UTC
Description of problem:

After having a cert renewal failure on 7.2 master (due to loss of tracking on all certs), this replica was promoted and then used to renew its own certs.

It has been failing to install replicas, with issues stemming from what seems to be an extra ldap certificate?

Version-Release number of selected component (if applicable):


# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)
-- This was updated to latest IPA packages, but it did not update the base RHEL as part of the yum update ipa-server

Comment 22 Endi Sukma Dewata 2017-02-07 16:07:53 UTC

Comment 23 Francesco Giannoccaro 2017-02-08 18:45:51 UTC
Thanks for the clarification about the change on the DN encoding.

From our prospective the troubleshooting process we went through in the last few weeks made clear that taking the faulty IPA systems to a stable and reliable status is very difficult if even not possible at all.
We have decided to perform an installation from scratch of a new IPA environment to reduce the risk in future of having same issue or other related issues. 

A short summary of the step we are currently following is:

1. perform a fresh install of IdM/IPA, and instead of setting the Winsync using Trust configuration 

2. create new domain as a subdomain of our corporate Windows AD (unix.phe.gov.uk)

3. sign the IdM/IPA root CA cert with the PHE AD root CA cert, so that clients can have a valid trust path for IdM/IPA issues certs

4. create a one way trust from the IdM/IPA to the PHE AD so that existing AD users can authenticate to IDM

5. run both IPA systems in parallel (the faulty and new one) and migrate things over in a controlled manor

Once we'll complete all the above step and all clients will be successfully migrated to the new IPA, we are keen to help - if you think it could be any how useful to resolve this bug - with performing further tests or apply patch to our faulty IPA system to test possible solution (maybe useful for other users).

Comment 24 Marc Sauton 2017-02-10 23:18:47 UTC
for the workaround the the CA's CS.cfg, note the order may be important:
may not have the same effect

Comment 25 Petr Vobornik 2017-02-17 16:55:55 UTC
*** Bug 1415852 has been marked as a duplicate of this bug. ***

Comment 26 Matthew Harmsen 2017-10-25 21:13:49 UTC
[20171025] - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6

Comment 27 Matthew Harmsen 2018-04-27 01:30:02 UTC
Per RHEL 7.5.z/7.6/8.0 Triage:  7.6

alee: looks like it was tied to a customer case.  Need to confirm if this case is active.

Note You need to log in before you can comment on or make changes to this bug.